On Thu, Nov 10, 2005 at 02:31:09PM +0100, Marc Leeman wrote: > > (most of these problems are probably inherited from the quake2 > > packaging you used). You will have to fix most of these before > > someone should sponsor the package. > > > W: quake3-data: > > possibly-insecure-handling-of-tmp-files-in-maintainer-script postinst:225 > > I use /tmp/ for the place to download the point and demo files. This > used to be /root/. Since I do not think temporary installs should be > dl'd there, I moved them to tmp. The extraction of the file is done in a > dir with tempfile. I could move this one level deeper and again use > tmpfile, but from a functional point of view, this does not change much, > especially since the warning only kicks in when the default from > templates is emptied out in the user interaction. Lintian is right, if for the wrong reason.
tempdir() { _TEMPDIR=`tempfile --directory $1 --prefix quake3-data` # kill off fresh tempfile rm $_TEMPDIR mkdir $_TEMPDIR echo $_TEMPDIR } That is a tag + security race condition between rm and mkdir. You'll want to use mktemp -d instead. I didn't look at your script closely; there may be other problems. Nothing should ever get written to /tmp/ except if the output filename is the result of a successful ($?==0) call to mktemp or tempfile. -- Clear skies, Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]